A zero-day vulnerability is an unrevealed vulnerability to software that hackers can exploit to unfavorably distress computer data, or a network. The term “zero-day” is used since this vulnerability is not announced or reported to the public before being active. This action will leave the software developers and makers no time to prepare in mitigating the possible effects of such vulnerabilities. Google’s Project Zero was able to discover such vulnerabilities in a popular Wi-Fi chip from Broadcom System on a Chip/SoCs. This hardware is commonly used in wide range of smartphone models, including iPhones, Samsung and even Nexus models.

Image source: threatpost.com

Project Zero has been at work since its inception in 2014 where the team is able to help users in eliminating security flaws or exploits by way of frequently releasing information about harmful bugs, susceptibilities, vulnerabilities to the manufacturers. Then, Project Zero will allow the manufacturers with ample time (but usually a short timeframe) to make the necessary adjustments and corrections to the problem before the findings are presented to the public.

This time, the team discovered susceptibility with Broadcom’s Wi-Fi hardware. Gel Beniamini, an analyst for Project Zero and the discoverer of this susceptibility, claimed the following results:

Exploiting such flaw can be done by a hacker within the Wi-Fi range of a device having the Broadcom hardware by simply executing arbitrary codes on the chip

No user interaction is necessary to do full device takeover as long as it is within the Wi-Fi proximity

This means that anybody being linked on a shared Wi-Fi network, whether public or private, have their device susceptible of being compromised since their device comes with the Wi-Fi system from Broadcom.

Beniamini disclosed that while the implementation of the firmware on the Wi-Fi chip is amazingly multifaceted and complex, it is still lagging behind when talking about security. In particular, it is lacking with the entire fundamental mitigations for exploiting that includes safe unlinking, stack cookies and protection for access permission through the use of Memory Protection Unit (MPU). These findings were given to Broadcom for them to make the necessary corrections.

Fortunately, Broadcom welcomed the findings positively and came up with a fast response. The nasty vulnerabilities make use of a series of exploitation in breaching the security of Broadcom SoCs and this can lead to full takeover of the device and all of these are done wirelessly, with no direct contact with the device in question. Broadcom have informed Project Zero of their mitigation efforts, in which newer versions of their SoC make use of the MPU, on top of the many additional security mechanisms for their hardware.

Image source: securelaptop.org

The susceptibility reported by the bug discoverer in Project Zero leads to updates in both Apple and Google. For Apple, the issue was resolved with the roll out of update 10.3.1 as soon as the news broke out even if the 10.3 update was finished just a week ago and even if the testing of the susceptibility was conducted using an Android-based smartphone (Nexus 6P to be exact). The main reason is that Apple also ran using the Broadcom chip.

The success of Project Zero in unearthing zero-day vulnerabilities helped manufacturers in making mitigating measures to counter them. This in turn benefits the millions of mobile device users that have Broadcom’s Wi-Fi chip on their devices. This is indeed a remarkable improvement for both the discoverer and manufacturer leading to the progress in the right direction.